AZOP (Croatia) - Decision 14-09-2023
| AZOP - Decision 14-9-2023 | |
|---|---|
 | |
| Authority: | AZOP (Croatia) |
| Jurisdiction: | Croatia |
| Relevant Law: | Article 6(1) GDPR Article 7 GDPR Article 13(1) GDPR Article 13(2) GDPR ePrivacy Directive |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 01.09.2023 |
| Published: | 14.09.2023 |
| Fine: | 20000 EUR |
| Parties: | Unknown |
| National Case Number/Name: | Decision 14-9-2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Croatian |
| Original Source: | AZOP (in HR) |
| Initial Contributor: | Karlo Paljug |
Croatian personal data protection agency imposed fine to gambling and betting company due to illegal data processing via cookies on its website.
English Summary
Facts
The Agency imposed administrative fine on data controller (gambling and betting company) in the amount of EUR 20,000.00 due to three identified violations GDPR regarding cookies installation.
Holding
The data controller collected and processed the data of website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the GDPR.
In the same way, the data controller did not adequately provide information to the data subjects, i.e. voluntarily give and/or withdraw their consent, which violated Article 7. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie.
It was established that the data controller did not adequately inform the website visitors about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2. When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
The Agency for the Protection of Personal Data imposed two administrative fines on data processors, gambling and betting companies in the amount of EUR 20,000.00 (HRK 150,690.00) and EUR 30,000.00 (HRK 226,035.00), due to three identified violations General regulations on data protection in both cases: The processing managers collected and processed the personal data of respondents or website visitors through cookies without a legal basis, which violated Art. 6, paragraph 1 of the General Data Protection Regulation. Namely, in order for the processing of personal data to be legal, the existence of at least one of the legal bases from the article in question is necessary, which in this particular case the processing managers did not fulfill, that is, they did not prove the existence of a legal basis for the processing of personal data through cookies (cookies - small files that The Internet browser stores on the computer, mobile device or other device with which the respondent visited the Internet pages, and in this way they remember and monitor his further actions on the Internet pages, and which processing is also related to aspects of personal data). In the same way, the data controllers did not adequately provide information to the respondents, i.e. enable the respondents to be sufficiently informed, i.e. voluntarily give and/or withdraw their consent, which violated Article 7 of the General Data Protection Regulation. Namely, the visitor must give separate consent for each type of cookie according to their functionality, that is, consent cannot be combined for all types of cookies, and in specific cases there was no option to give/withdraw consent separately for each type of cookie. It was established that the data controllers did not adequately inform the respondents (website visitors) about the processing of personal data, i.e. about the processing of data through cookies, which violated Art. 13, paragraphs 1 and 2 of the General Data Protection Regulation. Namely, the processing managers did not inform the respondents about the subject processing in accordance with the principle of transparency, and thus the respondents (website visitors) were deprived of information about data processing such as the legal basis, the function of each cookie and the cookie storage period. When deciding on the imposition of administrative fines and their amounts, attention is paid to the provisions specified in Article 83 paragraph 2 of the General Data Protection Regulation, such as the nature, severity and duration of the violation; whether the violation is intentional or negligent; the degree of responsibility of the data controller, etc.
